My 5 Top Ways to Escalate Privileges

During a penetration test, rarely will the tester get access to a system with the administrator privileges in thefirst attempt. You are almost always required to use privilege escalation techniques to achieve the penetration test goals.

Several people have extensivelydiscussed this topic, instead I decided to mention my top 5 favorite ways for accomplishingprivilege escalation in the most practical ways possible.

I do not specify the escalationpath, but the techniques below will fit most cases. For example: fromSYSTEM to domain account; from restricted domain account to SYSTEM/domainadministrator; anonymous to system account; and so on.

1 – Dumping the SAM file

This is probably the most common way to escalate privileges. Often, it is possible to retrieve the LM hashes from a system thatmay include some domain credentials.

Depending on the penetration test, this can be done repeatedly, onmany servers, until you find a domain administrator's hash. It is also possible to utilize theshadow copy feature from Microsoft Systems to get the "SYSKEY" and "SAM" files. One of thepossible tools that could be used for this is hobocopy.

Here are some of the tools used: gsecdump, fgdump, pwdump,meterpreter, hobocopy.

3Figure 1: Dumping the SAM file using gsedump

2 – Retrieving the /etc/passwd file

When you either have credentials or some other type of access to aUnix's file system (when there is a non-chrooted FTP server, for example), it mightbe a very good idea retrieve the /etc/passwd file. With that file in hand you can simply enumerate the usernames of that particular system. Since users arestill not used to creating or using strong passwords (specially when there is nopolicy enforcing), trying the username as the password for that account isalways a good guess.

1Figure 2: Accessing a non-chrooted FTP server and downloading the /etc/passwd file

3 – Weak Permissions on Processes

If you are in a system with high privileges (SYSTEM user on Windowssystems), you will probably might want to take a look over the services runningin that computer and check what users are running those services.

There is always the possibility to inject a malicious code in oneof those processes and, with that retrieve privileges from the process owner,such as a domain administrator.

Tools: Process Injector (http://www.tarasco.org/security/Process_Injector/)

4
Figure 3: Listing processes with "Process Injector" tool

4 – Sensitive Information Stored in Shared Folders

Shared folders can be very useful while doing a penetration test. The main reason is because it is quite common to find sensitive information being stored in those Shared Folders witheither a few restrictions or none at all. I have already mentioned somethingsimilar on my last blog post but I do not see why I can not mention this techniqueagain since it is usually very successful.

Tools: Metasploit (auxiliary/scanner/smb/smb_enumshares) – http://www.metasploit.com

[*] 10.0.20.36:139 IPC$ - Remote IPC (IPC), ADMIN$- Remote Admin (DISK), C$ - Default share (DISK)

[*] 10.0.20.37:139 print$ - Printer Drivers(DISK), Left_Xerox - Left_Xerox (PRINTER), C$ - Default share (DISK), intfaces- (DISK), Right_Xerox - Right_Xerox(PRINTER), Mailroom - Mailroom (PRINTER), *****4300 - ***** HP LaserJet 4300(PRINTER), F$ - Default share (DISK), Ops_Xerox - Ops_Xerox (PRINTER), IPC$ -Remote IPC (IPC), hp3380 - hp4240 (PRINTER), G$ - Default share (DISK), W$ -Default share (DISK), ADMIN$ - Remote Admin (DISK), Exec_Xerox - Exec_Xerox(PRINTER), T$ - Default share (DISK), LawsonPrint - PROACCT01 Lawson PrintDirectory (DISK), E$ - Default share (DISK), pospay - Bank Positive Pay Transaction Folder (DISK), Acct_4240 -Capex (PRINTER)

5 – DLL Preloading

Utilizing a combination of DLL preloading vulnerability and havingaccess to network shares, a pentester could look for a widely utilized sharedfolder where users actually execute certain applications from. Once this sharedfolder is found, the pentester could replace one of the legitimate DLLs by a speciallycrafted malicious DLL.

There are already some countermeasures to this attack beingapplied by different software vendors, however it is always worth a shot.

A list of vulnerable applications can be accessed here:

http://www.exploit-db.com/dll-hijacking-vulnerable-applications/

I decided to blog about this for a few reasons: These techniques notonly could be very helpful for anyone executing a penetration test, but they arealso still very reliable in the process of compromising systems for most of theenvironments. If you job isn't penetration testing but defending against attacks it is a good idea that you are aware of these methods as well.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.